Having spawned processes with a [stealth] denomination is never a good sign – to find the actual path where the process originates from, we can use the following command:
ls -l /proc/<pid>/exeYou can also check out the directory using /proc/<pid>/cwd
These processes are never a good sign – consider your host compromised and do not trust it!